[stunnel-users] Confusion regarding part of stunnel.conf
Dave
dave at momentumweb.com
Thu Feb 10 01:13:30 CET 2011
I've set up a test of stunnel with the latest stunnel and latest
openssl, and if I set "verify=0" or "verify=1" I can get it to work (I'm
tunneling a pop3 session), but if I set it any higher (to 2 or 3) it
won't work for me.
Now, I'm not sure which level is "necessary" because in stunnel.conf I read:
-------------------------
; authentication stuff needs to be configured to prevent MITM attacks
; it is not enabled by default!
;verify = 2
-------------------------
... which sounds like verify defaults to 0. But is a verify level of 1
enough to solve the man-in-the-middle problem? It seems like it would
not be (since level 1 will allow absence of a certificate), but I am not
sure. I guess my questions boil down to:
1) What are the necessary settings for "authentication stuff" to prevent
the MITM attack vector mentioned in stunnel.conf?
2) What is the proper way to set up (self-signed) certs to prevent such
an attack? Can a self-signed cert be used at a verify level of 2 or 3?
Dave
More information about the stunnel-users
mailing list